DSCSADrug Supply Chain Security Act

The Drug Supply Chain Security Act (DSCSA) was signed into law on 27 November 2013 as Title II of the Drug Quality and Security Act, the federal response to the New England Compounding Center meningitis outbreak. It pre-empted a growing patchwork of state pedigree laws (California's e-Pedigree being the most aggressive) and replaced them with a single, ten-year, phased build-out to a national electronic, interoperable, unit-level prescription-drug traceability system.

The act distributes obligations across five trading-partner classes: manufacturers, repackagers, wholesale distributors, third-party logistics providers (3PLs) and dispensers (pharmacies). Each class has its own timeline and its own duties — manufacturers serialise first, wholesalers aggregate and verify, dispensers receive and verify, and everyone exchanges transaction information in an electronic, interoperable format by the end-state deadline.

Enforcement discretion does not eliminate the obligation — it defers enforcement. Trading partners can still refuse to do business with non-EDDS counterparties, and many wholesalers have begun to do so. The market is moving faster than the regulator.

DSCSA requires the smallest saleable unit of every prescription drug to carry a Standardized Numerical Identifier (SNI), encoded in a 2D DataMatrix and printed in human-readable form. The SNI is a GTIN plus a unique serial number per pack, plus the lot number, plus the expiry date — all encoded with GS1 Application Identifiers:

• (01) GTIN — 14 digits identifying the trade item.
• (21) Serial — up to 20 alphanumeric characters, unique per pack within the GTIN.
• (17) Expiry date — YYMMDD.
• (10) Batch / lot — up to 20 alphanumeric characters.

The DataMatrix is typically printed on the carton at the end of the packaging line by a print-and-apply or print-and-verify station. Each printed code must be vision-verified before the pack leaves the line — unreadable codes are recall events at the dispenser end. The serial pool is allocated centrally (or generated deterministically from a pack counter) and must not repeat within the GTIN over the regulated retention horizon.

Aggregation — though not strictly required by DSCSA itself — is how the chain stays operationally sane. Cases get an SSCC (GS1 AI (00)) that maps to the serials of the packs inside; pallets get an SSCC that maps to the SSCCs of the cases on the pallet. Wholesalers can scan a single pallet SSCC and inherit the full serial manifest, rather than scanning every carton individually.

Three documents must accompany every change-of-ownership transaction. Transaction Information (TI) lists the product, NDC, lot, dosage form, strength, container size, number of containers, and from-/to-party details — plus, in the post-EDDS world, the serial numbers. Transaction History (TH) was a chain-of-custody trail of all prior TIs going back to the manufacturer; under EDDS, TH is retired (the chain is reconstructible from electronic TI lookups). Transaction Statement (TS) is a one-paragraph attestation by the seller that they have systems and processes to comply with DSCSA, that the product is not counterfeit, that they were authorised, and that they did not knowingly ship suspect product.

Under EDDS, TI and TS must be exchanged electronically in an interoperable format. The market has converged on the GS1 Electronic Product Code Information Services (EPCIS) 1.2 standard, encoded as XML or JSON, transmitted via AS2, SFTP or REST API — sometimes through a hub provider (TraceLink, RxScan, Rfxcel, Movilitas, SAP ATTP) and sometimes peer-to-peer. The choice of network is the trading partners' — DSCSA mandates the data, not the pipe.

Section 582 of the FD&C Act (the operative DSCSA section) requires every trading partner to investigate suspect product — units believed to be counterfeit, diverted, stolen, or fraudulent — and to verify the product identifier with the manufacturer or the manufacturer's exclusive distributor of record. Under EDDS, verification is unit-level: a wholesaler that suspects a returned carton submits the SNI to the manufacturer's verification router (the Verification Routing Service, VRS, run by industry-standard providers) and gets back PASS, FAIL or UNRESOLVED within seconds.

The VRS architecture is decentralised — there is no central database. The Look-up Directory (LD) lets a requester find the manufacturer's verification endpoint for a given GTIN; the verification request then goes directly to that endpoint. Manufacturers operate (or contract for) their own VRS instance that holds the serial pool, the commissioning history, and the current status of each serial.

Recall scope under DSCSA is unit-precise. The FDA can ask 'show me every customer that received serial range X' and the manufacturer must answer from the EDDS records, not from a paper distribution list. Wholesalers can refuse to ship recalled serials because the recall is broadcast at the serial level and the warehouse-management system blocks pick at scan.

DSCSA prohibits any trading partner from buying from, selling to, or accepting product from anyone who is not an Authorised Trading Partner. ATP status means the partner is registered with the FDA (for manufacturers, repackagers, wholesalers) or licensed in their state (for dispensers, 3PLs) and in good standing. Trading partners must verify ATP status before transacting — typically via the FDA's ATP look-up tools and state-board databases — and must re-verify periodically.

ATP verification is mostly a procurement-IT problem. The ERP or wholesale-management system holds the ATP status of every counterparty, refuses new POs to non-ATP suppliers, and ages out verified status after the configured period. The interesting failure mode is acquisitions — when a buyer acquires a seller and the legal entity changes, ATP must be re-verified or trading stops.

DSCSA covers prescription drugs as defined in section 503(b) of the FD&C Act. Out of scope: OTC drugs, animal drugs, blood, blood components, radioactive drugs (covered separately by Part 212 and state radioactive-materials rules), imaging agents (with some narrow exceptions), medical gases, IV solutions used to maintain equilibrium and certain compounded products. Devices are separately covered by UDI under 21 CFR 830 — DSCSA does not apply.

Within prescription drugs there are narrow exemptions for samples, intracompany transfers, dispensing in the course of practice, and licensed compounding. Each exemption has specific conditions, and trying to claim one without meeting the conditions is treated as a violation, not an oversight.

1. Packaging lines need a serialisation print-and-verify station — typically a thermal transfer printer or laser marker with an integrated vision-verification camera. Failed prints reject to a tray and the serial is voided in the serial-management system before the line restarts.
2. An aggregation station builds the case-pack and prints the SSCC label; the case SSCC ⇄ pack serial map is recorded in the EPCIS event store as the line runs.
3. A line-clearance step at end of run reconciles serials commissioned vs serials shipped vs serials voided. A missing serial blocks the WO from closing.
4. EPCIS commissioning, packing, shipping and decommissioning events stream from the line into the serial-management system in near-real-time.
5. ERP/order-management generates the TI/TS bundle on shipment from the EPCIS events plus the order line; the bundle is transmitted to the trading partner before or with the physical delivery.
6. Returns are scanned unit-by-unit and verified against the originating commissioning record before being returned to saleable stock.

• Aggregation breaks. The case SSCC says 24 packs; physical count is 23. Wholesaler refuses receipt or treats the whole pallet as suspect.
• EPCIS event sequencing. Commissioning event arrives at the hub after the shipping event. Verification fails because the serial was 'never commissioned'.
• Serial pool exhaustion or duplication. Allocator runs out of serials mid-shift; manual workaround re-uses a serial range. Recall years later cannot resolve which physical unit is which.
• ATP not refreshed. Wholesaler's licence lapsed three months ago; manufacturer keeps shipping; FDA inspection finding.
• Print-quality drift. ANSI grade slowly degrades over a print head's life; codes become unreadable in the field weeks after acceptance.
• Returns. A pack returns from a dispenser; the manufacturer's VRS does not know about a status change made by the wholesaler; verification fails.
• Sample drugs. Sales reps' sample distribution often runs on a different system; samples and commercial product diverge in serialisation maturity.

V5's role in the DSCSA stack is the cGMP layer at the line — the operator workflow, the BMR record, the equipment and operator attribution for every serial event, the line clearance, and the integration into the customer's chosen serialisation hub. V5 does not pretend to be a serialisation network.

• Serialisation print-and-verify is a kiosk step with mandatory vision-grade capture (ANSI A/B/C/D/F) and immediate void of below-grade prints.
• Case aggregation is a guided step at the kiosk — scan SSCC, scan each pack serial, count match, sign.
• Line clearance reconciles commissioned vs printed vs verified vs packed vs voided. Mismatches block WO close.
• EPCIS commissioning, packing, shipping events are emitted to the customer's hub of choice (TraceLink, RxScan, Rfxcel, Movilitas, SAP ATTP) via the configured EPCIS connector.
• The BMR records every serial event with operator, timestamp, station and grade — the cGMP evidence layer the hub does not provide.
• Recall query: enter a serial range and V5 returns the originating WO, operators, equipment, components and shipment destination in seconds.

DSCSA does not name EPCIS in the statute, but the industry settled on GS1 EPCIS 1.2 as the de-facto event grammar for unit-level traceability because the FDA's data-exchange expectations map cleanly onto its four core event types. Understanding the event shapes is the difference between a serialisation programme that scales and one that drowns in reconciliation tickets after every release.

• ObjectEvent — a single, atomic action against a list of EPCs (commission, decommission, observe). The bizStep vocabulary (urn:epcglobal:cbv:bizstep:commissioning, ...:shipping, ...:receiving, ...:retail_selling, ...:disposing) is what gives the event its DSCSA meaning.
• AggregationEvent — bind child EPCs to a parent EPC (pack-into-case, case-onto-pallet) or unbind them. Action ADD/OBSERVE/DELETE is mandatory. Aggregation is the linchpin of inference: if the case is verified, every pack inside is verified by inference, which is why the wholesaler will not even open the case.
• TransactionEvent — bind EPCs to a business transaction reference (PO, ASN, invoice). This is where the EPCIS event store meets the ERP and where the TI/TS bundle is sourced for outbound shipments.
• TransformationEvent — record a packaging or repackaging step that consumes input EPCs and emits new output EPCs with a new GTIN. Used for repackagers operating under section 582(e); often skipped at manufacturer sites that do not repack.

The most common production-line failure is event ordering: the shipping ObjectEvent reaches the hub before the commissioning ObjectEvent because the line transmits in micro-batches and the network back-pressures. Mature implementations stamp eventTime (when the physical event occurred at the line) separately from recordTime (when the hub ingested the event) and order downstream verification on eventTime. V5 captures both stamps at the kiosk so that hub-side replay can reconstruct true line order even when transmission is out of sequence.

DSCSA is the US scheme, but every regulated pharma manufacturer ships into multiple regimes. The engineering shape is similar everywhere — unique pack identifier, 2D-DataMatrix carrier, central verification system — but the data models, the carrier choices, and the verification flows differ in ways that bite if assumed equivalent.

The dangerous assumption is that one EPCIS feed satisfies all regimes. It does not. The EU NMVS expects per-event uploads with country-specific timing rules. India's iVEDA expects file uploads with a specific manifest. China's eDrug Code regime accepts EPCIS but with extensions. A serialisation programme that targets DSCSA only and bolts the others on later typically spends 30–50% of its second-year budget on rework. Design the line so the kiosk captures a superset of fields once and the integration layer routes per-market.

DSCSA section 582 sets out the trading-partner obligations when a product is suspected of being counterfeit, diverted, stolen, intentionally adulterated, or otherwise unfit for distribution. Quarantine the product, investigate within 24 hours, and if the investigation cannot clear the product, treat it as illegitimate and notify the FDA via FORM FDA 3911 within 24 hours of determination. The downstream consequence — once the FDA notification is filed — is that every other trading partner who handled the affected serials gets a notification and must clear or quarantine their own stock in turn.

• Quarantine: physical segregation in a separately controlled location with a deviation/CAPA record on the warehouse system.
• Investigation: pull the commissioning EPCIS event, the shipping event, the receiving event, the chain of custody since the last verified VRS check, the operator records at the line, and any deviations on the originating WO.
• Clearance: documented finding that the product is legitimate. The investigation file is the audit-trail of record and must be retained for six years from the date of the transaction.
• FDA notification: FORM FDA 3911 within 24 hours of determination of illegitimacy. Notification cancellation: filed within 24 hours of any reversal.
• Trading-partner notification: every immediate trading partner in possession of the affected serial range must be notified within 24 hours.

The single highest-leverage capability for the manufacturer's QA team is the ability to query 'which lot, which WO, which operators, which equipment, which components, which destinations' from a serial range in under two minutes. Investigators who have to assemble that picture from spreadsheets miss the 24-hour clock. V5's recall query is built specifically for this scenario: a serial range goes in, the originating WO and the full BMR chain comes out, including operator stations, equipment IDs, dispense weights and packaging-line events.